GDPR for HR: event roundup

Thank you very much to everyone who attended our first "GDPR for HR" event. In the session, we looked back at HR data protection and privacy developments over the past 12 months, as well as some of the upcoming changes we expect to see in this area.

AI in the workplace

The post pandemic move towards hybrid working has seen heightened interest around the use of digital artificial intelligence (AI) tools in the workplace (in areas such as recruitment, work allocation and performance management). In the session, we covered some of the upcoming regulations which will regulate AI:

• EU: The EU has set out its proposals for regulating AI in the form of the AI Act and AI Liability Directive. Higher-risk AI applications (which is likely to include some applications in the HR space) will face increased scrutiny prior to use. End users will also be able to bring claims more easily where AI applications result in damage. 
• UK: The UK has set out a "pro-innovation" approach to regulating AI which contrasts with the EU's more detailed approach. The UK envisages adopting a high-level set of principles to be implemented by individual regulators, as opposed to implementing a standalone bespoke regulatory framework. In an employment setting, the AI principles could develop through the rulings of employment tribunals or the guidance from employee rights bodies such as Acas.

Key takeaways

On the basis of the planned regulatory developments, employers using AI in their employment lifecycles should consider: 

• Completing due diligence before implementing any AI tools;
• Implementing some form of regular human review in relation to the results produced by AI tools;
• Being careful about the potential impact of AI and adopting appropriate strategies to minimise any potential negative impact;
• Encouraging recruitment teams be open with candidates about how such technologies are used, reducing the risk of negative backlash;
• Reviewing internal AI strategy in line with the proposed guiding UK principles and aligning use of AI tools with emerging regulatory frameworks; and 
• Keeping up to date with the upcoming UK AI white paper as well as any announcements from regulators regarding how they intend to interpret and enforce the guiding principles.

Employee monitoring

We have recently seen a significant increase in the use of workplace monitoring practices by employers due to the move to remote working. These include use of CCTV, increased monitoring of emails and use of access cards to monitor and record the location of employees in a building and how long they spend there. 

Draft ICO guidance on monitoring

The ICO is currently consulting on draft guidance in respect of monitoring in the workplace focusing on the monitoring of remote and home workers. The guidance includes a requirement to consult employees where new monitoring practices are set to be implemented, as well as documenting any risks and the extent of personal data that will be captured.

This is one to watch out for and, in due course, reviewing the monitoring sections of your data protection policies and staff privacy notices to identify where practices may not align with the guidance. 

Monitoring emails in investigations

In the session, we discussed the recent Court of Appeal decision in Brake v Guy, which set out some considerations for employers where monitoring employee emails. In an investigation context, before searching employee emails, you should consider:

• Whether your employment contracts and policies contain robust monitoring provisions and whether you have taken steps to ensure employees are aware of these;
• The sensitivity and nature of the data you might expect to find and whether the information you are looking for could be mixed with personal and delicate matters;
• Whether there is a way of conducting your searches that mean it will be more targeted;
• The nature of the concerns (for example, serious allegations amounting to criminal behaviour may justify more robust search measures);
• Whether you really need the information to investigate the concerns, how many people need to have access to the information, and how long the investigator should keep it; and
• Recording the reasons for accessing the information and ensuring it is held securely.

Use of CCTV footage as evidence in disciplinary investigations

On using CCTV footage in disciplinary investigations, the Court of Appeal decision in Doolin v The Data Protection Commissioner set out considerations for employers prior to any such use. It highlighted the importance of employers that operate CCTV systems ensuring that data subjects are made aware of all purposes for which CCTV footage is being obtained. Employers should be satisfied that their CCTV policies and any signs accompanying CCTV cameras list these purposes.

Individual rights

Data subject access requests 

Over the course of the past year, we have seen a number of regulatory developments in respect of Data subject access requests (DSARs), as well as some new advice from the Information Commissioner's Office (ICO) in respect of best practice.

The UK government is considering various amendments to the UK DSAR regime (through the Data Reform Bill). Two of the key changes proposed will impact when employers can refuse to deal with a DSAR, as well as the kind of data that can must be disclosed as part of a request. 

The current regime sets a high bar for where employers can refuse to deal with a DSAR. The new bill proposes that employers would be able to charge a fee or refuse to respond where a request is "vexatious or excessive". It is likely that this wording will enable employers to refuse to comply with DSARs more often and we may see a move away from DSARs being used as a litigation tactic (we can hope).

The bill also proposes a change to the definition of "personal data". The bill proposes a subjective element to the definition which asks whether the data subject was "identifiable" by the controller or others likely to receive the data at the time the data was process. 

Recent ICO guidance in respect of handling DSARs has focused on the level of communications they expect to see when handling a request:

• The ICO stresses the importance of maintaining communication and trust through proactive communications with data subjects. 
• Where there is likely to be a delay or where an extension is required, the ICO stresses the importance of informing the data subject of the delay as soon as possible, with a full explanation and an indication of when it will be possible to provide the data. 

Right to erasure 

We have seen an increase in the use of other data rights under the GDPR, particularly the right of erasure (that is, the right to be forgotten). We're seeing employers take a proactive response here and start to put processes in place, similar to those that are already in existence in respect of DSARs. 

It is important to remember that the right of erasure is a qualified right that can only be exercised in certain circumstances. The key here is to identify which data remains necessary to retain in the course of employment and therefore will be out of reach of the request. Employers should evaluate each kind of data on receipt of an erasure request. Having in place retention processes and an understanding of where personal data sits will be really useful in this respect.

Health data

Draft guidance was issued last month focusing on health data processed in the context of employer-worker relationships. A lot of the content repeats what is in the employment code of practice but with a renewed emphasis on transparency and communications with employees to retain trust, this being a theme that runs throughout the new guidance documents. Some key points were:

• Pre-employment health questionnaires should be revisited to ensure there is a reason for asking each and every question. Good practice is for these to be reviewed by health professionals to ensure they're on point and interpreted by those who are qualified to draw meaningful conclusions from the information – neither of which are common practise, in our experience. 
• When commissioning medical reports, HR should only ask for information on fitness for work or adjustments needed and should not ask for provision of details about an employee's condition.
• Employers should consider whether it is necessary to retain health information collected during employment post termination of employment, and, if the answer is no, this should be deleted. 
• Health data should be stored on a separate database rather than on an HR file or, if it sits in an HR file, it should be subject to separate access controls.
• Occupational health providers are likely to be acting as controllers not processors and this may necessitate a change to contract provisions used and privacy notices. Clear information should be provided to workers about how their data will be used, who it might be made available to and why.
• Medical details about workers should only be made available to managers to allow them to discharge their management responsibilities. Any access should be kept to a minimum.
• When workers use work telephone and email accounts to communicate with occupational health, processes should be put in place to ensure that monitoring activities do not compromise confidentiality. 
• Genetic data should only be processed as a last resort and in limited circumstances; for example, where an employee has a genetic condition which is likely to pose risk to others or where it's known that a working practise might pose specific risk to workers with particular genetic conditions. 

Data security

In the session we discussed two recent examples of enforcement activity.

Last month, the ICO handed down a "dissuasive" £4.4 million penalty to Interserve for failure to ensure the security of personal data of 113,000 employees following a cyber attack on their systems.

The reason for the hefty fine related to numerous deficiencies in their IT infrastructure including use of outdated operating systems and protocols, ineffective endpoint security and lack of employee training on phishing as a result of which the ICO determined that Interserve had "failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". Some useful learning points here around ICO expectations around employer security measures. 

Also, last month, the Home Office was reprimanded by the ICO for loss of sensitive documents – namely anti-terrorism-related documents containing special category data left at a London venue. The reprimand was issued because the Home Office failed to ensure the security of the personal data and failed to report the data breach within 72 hours.

In the reprimand, the ICO noted that where hard copy documents are removed from employer premises there should be:

• Handling instructions for removal of document containing special category data from premises,
• A sign out process for document removal.
• Monitoring of whether staff are complying with policies and procedures already in place.

These cases reinforce the point that, to avoid this sort of enforcement action, a proactive approach needs to be taken to data security.

By way of wrap up …

Our view is that we're heading is to a positive place with the government and the ICO wanting to eliminate excessive bureaucracy and reduce the burden on business when it comes to data protection, whilst maintaining high DP standards. 

This is good news but, of course, there is some way to go: we'll need to keep an eye on the Reform Bill as it travels through Parliament and keep on top of new code of practice and industry specific guidance being issued by what's likely to be a modernised ICO. 

What is for certain is that, going forwards, data protection is set to continue to feature as a recurring and important HR agenda item.